AW: AW: AW: AW: Freeradius + LDAP password trouble
John Dennis
jdennis at redhat.com
Mon Jul 19 17:24:43 CEST 2010
On 07/19/2010 10:20 AM, Lionne Stangier wrote in a private email:
> Thank you.
>
> I have to talk with the LDAP Admin. He should save the password clear text now.
[ Replying to the list even though this was a private email because I
think this is important information ]
I just also want to make sure you understand there is some inherent risk
with storing cleartext passwords and why the norm is to hash a passord
before storage. It is *essential* the passwords are protected by ACL's.
It would be a major security breach if someone could access your ldap
directory and get access to a cleartext version of a password. Getting
access to a hashed version is much less of a compromise but not without
some risk as well, but with cleartext it's game over.
Also some ldap servers have the ability to reversibly encrypt an
attribute such as a cleartext password so that what is stored on disk is
not cleartext, which is one extra piece of protection (our 389-ds ldap
server can do this).
Finally, you don't have to use cleartext if you pick your authentication
mechanisms carefully, you can still use hashes. Consult the
compatibility table, this is what I meant about having some decisions to
make.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list